Someone tried to scam me. And honestly, it was a pretty good attempt. Here is the full story.
The Setup
A friend called me. Said there is an amazing deal. A million dollar company buys old human-written code, not AI generated, and they pay good money for it. There is a broker in the middle who connects sellers with the company. My friend was excited and so was I. We both have old projects sitting around doing nothing. Why not turn them into cash?
Next day my friend called again with the requirements. The repo must be at least 5 years old, minimum 2 contributors, and at least 75 commits. We did a video call and started going through our old projects to find ones that qualify. It felt real. Specific requirements always feel real.
I asked about the company. Indian. That was my first red flag. Not because of anything personal, just gut feeling. Something felt off. But I stayed curious. I wanted to see where this goes.
The Middleman
The middleman said they could not join the meeting that day and would join tomorrow. Unprofessional. I brushed it off. Maybe a scheduling mistake.
Then my friend forwarded me a zip file on WhatsApp. A Python script and a binary. They wanted us to run it on our git projects to “evaluate” the code and put a price on it.
I said no immediately. That was a hard no. I was only willing to sell the source code, not run scripts on my machine.
But I did not just ignore it. I downloaded it on my second machine, ran a virus check, and read the code carefully. And there it was. A full secret scanning module. AWS keys, GitHub tokens, Stripe keys, private keys, database connection strings, bearer tokens. The script was not measuring your code quality. It was hunting for credentials.
I told my friend this script is not safe. We are not running it.
The Meeting
We still had the meeting. I wanted to talk to them directly.
I asked who they are. Standard vague answer. I asked when they wrote the script. Few months back, they said. I asked if they wrote it on their mobile. No, on PC. Then why are you sending it from WhatsApp on mobile? They said they have it on both.
Then I asked about the exe file bundled in the zip. They said it collects metrics, lines of code, that kind of thing. To be fair, it was probably cloc.exe, a real tool for counting lines of code, and the Python script was calling it. So that part might have been legitimate. God knows.
I told them I use Linux and cannot run the exe anyway. They said it will run.
I laughed.
I showed them some of my current and old failed projects anyway, just to keep the conversation going. But I already knew. I clearly told them that I didn’t trust them and wouldn’t run the script unless they sent us an email through an official channel.
A few red flags I noted that day:
- We never got a meeting invitation. They just showed up.
- The meeting was on a weekend.
- Nobody on their team had a profile picture on their Google account.
The Email
They sent an official email from EduGorilla. I looked up the domain, found the website, saw mentions of InfoBay.ai everywhere. Cross-referenced InfoBay.ai and found EduGorilla mentioned there too. They were pointing to each other to look legitimate. I couldn’t believe it. I was almost convinced. Almost.
I did not reply to the email. Next day I got a follow up. “We are waiting for the metafile script output.” The desperation was visible. They needed me to run that script badly.
My friend called and said the email looked legitimate, and asked if we should try it. I still wasn’t sure, and both of us had a feeling they were scammers. I was busy at the time, so we decided to take a closer look over the weekend.
The TLD That We Missed
That weekend I called my friend and said I am not doing this. Something feels wrong. We agreed to drop it.
Then I went back and looked at the email one more time. And there it was.
The email was from edugorilla.org. Not edugorilla.com.
The website I had visited earlier, the one linked from InfoBay.ai, was edugorilla.com. That was the real site. The email came from edugorilla.org, which just redirects you to the .com. So when I tapped the link in the email I landed on the real-looking site and thought everything matched.
One character. .org vs .com. That was the whole trick.
I felt stupid for a moment. I matched the name but missed the TLD. Classic. But we caught it before doing anything irreversible.
What This Scam Actually Was
In case it is not obvious, this was a credential harvesting operation. The “code valuation” was just a story to make you willingly run malware on your own machine. Once you run the script on your repo, it silently scans for API keys, tokens, passwords, and database credentials. Those get sent somewhere. Then your AWS account is mining crypto, your Stripe keys are being drained, your GitHub account is compromised.
The whole setup, the friend referral, the specific requirements, the fake company, the cross-referencing websites, the official-looking email, the weekend meetings was engineered to build trust gradually until you just run the script.
They almost got my friend. Daily calls from the middleman. Constant pressure. That pressure is always a scam signal. Legitimate buyers do not chase you.
Update: They Are Still Trying
We got a call from the middleman again today. He claims the company is legit and has already paid a few sellers. Proof of concept, he said.
I am not buying it.
I asked him to have the company send us an email from their official infobay.ai domain. Not edugorilla. Not any third party. From infobay.ai directly. If the company is real and they have a relationship with them, that should be easy.
Let us see. I am hoping that one cannot be faked.
What I Learned
Trust your gut. Seriously. My inner voice said scam from the moment I heard “Indian company”, not because of where they were from, but because something in the whole setup felt engineered.
Read code before running it. Especially code from unknown sources. Especially when someone is paying you to run it on your own machine. That combination should always raise a flag.
Watch the TLD. You can match a domain name perfectly and still get tricked. .com, .org, .net – one character, completely different owner.
Slow down when someone is rushing you. The daily calls, the follow-up emails, the “we are waiting” messages, all of that is pressure. Real deals do not evaporate if you take a day to think.
And if a stranger sends you a script or executable file asking you to run it on your projects or computer, just don’t. Never. In some cases, malware can be installed just by receiving or downloading the file. See this WhatsApp example: Malwarebytes report on WhatsApp media bug.
Even if the sender turns out to be legitimate, running unknown scripts on your repositories or machine is not a safe practice. We only went this far out of curiosity. We have downloaded and scanned the files in a safe environment.
